---
- name: check the selinux context of the git repo directory
  command: matchpathcon /srv/git
  register: distgitcontext
  check_mode: no
  changed_when: false
  tags:
  - config
  - pagure
  - selinux

- name: show the output of distgitcontext
  debug:
    var: distgitcontext.stdout
  tags:
    - selinux

- name: show if we find gitosis_var_lib_t in distgitcontext
  debug:
    var: distgitcontext.stdout.find('gitosis_var_lib_t')
  tags:
    - selinux

- name: set the SELinux policy for the distgit root directory
  command: semanage fcontext -a -t gitosis_var_lib_t "/srv/git(/.*)?"
  when: distgitcontext.stdout.find('gitosis_var_lib_t') == -1
  tags:
  - config
  - pagure
  - selinux

- name: check the selinux context of the releases directory
  command: matchpathcon /var/www/releases
  register: distgitcontext
  check_mode: no
  changed_when: false
  tags:
  - config
  - pagure
  - selinux

# Note: On Fedora its httpd_sys_content_rw_t - Don't we love confusions?
- name: set the SELinux policy for the releases directory
  command: semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/releases(/.*)?"
  when: distgitcontext.stdout.find('httpd_sys_rw_content_t') == -1
  tags:
  - config
  - pagure
  - selinux

- name: Install the pagure SELinux policy
  include_role:
    name: selinux/module
  vars:
    policy_file: files/selinux/pagure.te
    policy_name: pagure
  tags:
    - selinux
    - config
    - pagure

- name: set sebooleans so pagure can talk to the network (db + redis)
  seboolean: name=httpd_can_network_connect
                    state=true
                    persistent=true
  tags:
  - config
  - selinux
  - pagure

- name: set sebooleans so apache can send emails
  seboolean: name=httpd_can_sendmail
                    state=true
                    persistent=true
  tags:
  - config
  - selinux
  - pagure

- name: set sebooleans so pygit2 can read the git repos
  seboolean: name=httpd_execmem
                    state=true
                    persistent=true
  tags:
  - config
  - selinux
  - pagure

- name: set sebooleans so ssh can retrieve access info from apache
  seboolean: name=nis_enabled
                    state=true
                    persistent=true
  tags:
  - config
  - selinux
  - pagure

- name: set sebooleans so allow nagios/nrpe to call sudo from NRPE utils scripts
  seboolean: name=nagios_run_sudo
                    state=true
                    persistent=true
  tags:
  - config
  - selinux
  - pagure
